Microsoft reports scareware decline, praise from hackers

Wednesday, November 4, 2009

Microsoft this week disclosed new evidence that the good guys may be getting the upper hand on cybercriminals -- at least some of the time.

The software giant says it is seeing decreases in scareware, those obnoxious online promotions that try to frighten you into paying for worthless antivirus protection, along with a decline in those faked Flash player updates that actually download viral coding that allows the bad guys to take full control of your PC.

During the first six months of 2009, Microsoft's Malicious Software Removal Tool cleansed scareware infections from 13.4 million Windows PCs, down from 16.8 million in the last six months of 2008.

Additionally, Microsoft in the first six months of 2009 disinfected copies of the Zlob Trojan found on 2.3 million PCs, down from 21.1 million PCs cleansed of Zlob in the last six months of 2008 -- a 10-fold decrease.

You've likely run across Zlob if you've ever gotten an email or an instant message, or a Facebook or MySpace private message, or a Twitter microblog enticing you to click on a Web link to check out an enticing video. Clicking on the link opens a dialogue box that asks you to download a Flash player update needed to view the video. By clicking "yes" to the download, you infect your PC with Zlob, a nasty bit of coding that turns your PC into a bot, making it part of a bot network, used for criminal pursuits.

Better cooperation and responsiveness from tech security companies and growing public awareness of online scams has helped the good guys finally begin to slow down cyber criminals, at least some of the time, says George Stathakopoulos, Microsoft's General Manager of Trustworthy Computing. "We're starting to make a dent," he says.

Microsoft even got kudos from the bad guys. Its researchers recently received an attaboy from the author of Zlob buried in the coding of a recent variant of the Trojan. The hacker complemented Microsoft for effectively blunting Zlob infections, and indicated he was discontinuing the Zlob family of infections. Microsoft provided this excerpt of the hacker's message:

"Just want to say 'Hello' from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can't sign here now (he-he, sorry) . . . Happy New Year, guys, and good luck!
P.S. BTW, we are closing soon. "

Yet despite the progress defending two major battlefronts, the cyberunderground continues to thrive, says Stathakopoulos. Messaging worms, like Koobface, continue to send out millions of private messages and postings. Often appearing to come from a trusted source, including popular social networks such as Facebook, MySpace and Twitter, these messages carry irresistible enticements to click on tainted Web links.

And self replicating worms, like Conficker and Taterf continue to steadily infect more and more PCs. Both Taterf and Conficker spread via tainted USB flash drives.

The main way a PC gets infected is when a viral flash drive gets inserted into its USB port. The virus launches a program that looks for computers nearby sharing the internal network, and spreads the infection to those machines. As part of this loop, it corrupts all of the USB ports on each newly infected machine. So each freshly-infected PC gets primed to taint any clean flash drive that subsequently gets plugged into any of its USB ports. And the cycle repeats exponentially.

In the first six months of 2008, the number of copies of Conficker or Taterf cleansed off PCs by Microsoft rose 98.4% as compared to the last six months of 2008. The first-half 2009 total includes 4.9 million PCs cleansed of Tartef, compared to two million Tartef inoculations in the last six months of 2008, a 156% spike.

Stathakoupoulos says Conficker continues to spread at approximately the same rate as corporations can flush it out and clean it up. He says the number of Conficker infected machines, mostly inside corporate networks, remains stable at about five million.

However, Sunbelt Software CTO Eric Sites notes that a number of reliable reports indicate the number of Conficker infections recently topped seven million. "The spread, and the battle, is very much continuing," says Sites, even though "nothing much has been done" on the part of the bad guys to put Conficker-infected PCs to work in criminal pursuits. Security experts say Conficker's controllers aren't likely to make a move to deploy one of the largest botnets ever assembled as long as the worm remains under heavy scrutiny.



Post a Comment